Hi, I'm very new to all this issue of SSL, so I apologize if this question sounds stupid. I currently have a server that listens to connections on a TCP port. Clients that connect to it may do so using SSL v3 (mobile clients, which use their own SSL packages, so I have very little control over it). I want to add stunnel to my server's setting, to enable SSL communication. I have no need for the client to authenticate the server, I am only interested in the data being encrypted. I tried setting this up, but the client complains that my server certificate cannot be authenticated (I produced it using http://www.stunnel.org/pem/). Any pointers on how to set such a thing up (even for the time being, while I develop), without having to pay lots of money to a CA ?
On Mon, 14 Feb 2005, Zohar wrote:
I am only interested in the data being encrypted. I tried setting this up, but the client complains that my server certificate cannot be authenticated (I produced it using http://www.stunnel.org/pem/). Any pointers on how to set such a thing up (even for the time being, while I develop), without having to pay lots of money to a CA ?
This is the infamous 'browser-popup' problem: the 'CA' that signed your servers' certificate (in your case most likely a self-signed certificate but that's the same problem) is not recognized by your clients.
As in: the client receives the server certificate, tries to verify it against its repository of 'trusted CAs' and sees it can't do that. And then generates the warning.
There are two ways to get rid of the message: -get a server-certificate from a CA that is trusted by the clients; if you only care about the encryption and just want to get rid of the popup get a server-cert at http://www.freessl.com/, it will be ~40 euros. -install the CA certificate that issued your server-cert (or your server-cert itself) in all connecting clients
In your situation the first option might be cheapest.
Jan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Montag 14 Februar 2005 08:52, Zohar wrote:
Hi, I'm very new to all this issue of SSL, so I apologize if this question sounds stupid. I currently have a server that listens to connections on a TCP port. Clients that connect to it may do so using SSL v3 (mobile clients, which use their own SSL packages, so I have very little control over it). I want to add stunnel to my server's setting, to enable SSL communication. I have no need for the client to authenticate the server, I am only interested in the data being encrypted. I tried setting this up, but the client complains that my server certificate cannot be authenticated (I produced it using http://www.stunnel.org/pem/). Any pointers on how to set such a thing up (even for the time being, while I develop), without having to pay lots of money to a CA ?
The server certificate has to be added to the clients trustbase, i.e. the client has to be configured to accept your (probably) self-signed server certificate. This has to be done for each client.
- -- Heiko Nardmann (Dipl.-Ing. Technische Informatik) secunet Security Networks AG - Sicherheit in Netzwerken (www.secunet.de), Weidenauer Str. 223-225, D-57076 Siegen Tel. : +49 271 48950-13, Fax : +49 271 48950-50
Besuchen Sie uns vom 10. - 16. März auf der CeBIT 2005 in Halle 7, Stand D38.
Informationen zu unseren CeBIT-Themen finden Sie unter www.secunet.com outbind://44/www.secunet.com - wir freuen uns auf das Gespräch mit Ihnen.
-
Jan Meijer -
Nardmann, Heiko -
Zohar